The Android Platform Security Model

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This paper aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model

A Time-composable Operating System

Time composability is a guiding principle to the development and certification process of real-time embedded systems. Considerable efforts have been devoted to studying the role of hardware architectures - and their modern accelerating features - in enabling the hierarchical composition of the timing behaviour of software programs considered in isolation. Much less attention has been devoted to the effect of real-time Operating Systems (OS) on time composability at the application level. In fact, the very presence of the OS contributes to the variability of the execution time of the application directly and indirectly; by way of its own response time jitter and by its effect on the state retained by the processor hardware. We consider zero disturbance and steady behaviour as those characteristic properties that an operating system should exhibit, so as to be time-composable with the user applications. We assess those properties on the redesign of an ARINC compliant partitioned operating system, for use in avionics applications, and present some experimental results from a preliminary implementation of our approach within the scope of the EU FP7 PROARTIS project

Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems

Much effort has been put into improving the predictability of real-time systems, especially in safety-critical environments, which provides designers with a rich set of methods and tools to attest safety in situations with no or a limited number of accidental faults. However, with increasing connectivity of real-time systems and a wide availability of increasingly sophisticated exploits, security and, in particular, the consequences of predictability on security become concerns of equal importance. Time-triggered scheduling with offline constructed tables provides determinism and simplifies timing inference, however, at the same time, time-triggered scheduling creates vulnerabilities by allowing attackers to target their attacks to specific, deterministically scheduled and possibly safety-critical tasks. In this paper, we analyze the severity of these vulnerabilities by assuming successful compromise of a subset of the tasks running in a real-time system and by investigating the attack potential that attackers gain from them. Moreover, we discuss two ways to mitigate direct attacks: slot-level online randomization of schedules, and offline schedule-diversification. We evaluate these mitigation strategies with a real-world case study to show their practicability for mitigating not only accidentally malicious behavior, but also malicious behavior triggered by attackers on purpose

AGM, a dataflow database machine

In recent years, a number of database machines consisting of large numbers of parallel processing elements have been proposed. Unfortunately, one of the main limitations to parallelism in database processing is the I/O bandwidth of the underlying storage devices. One way to solve this problem is to use multiple parallel disk units. The main problem with this approach, however, is the lack of a computational model capable of utilizing the potential of any significant number of such devices.This paper presents a database model which is based on the principles of data-driven computation. According to this model, the database is represented as a network in which each node is conceptually an independent processing element, capable of communicating with other nodes by exchanging messages along the network arcs. To answer a query, one or more such messages, called tokens, are created and injected into the network. These then propagate asynchronously through the network in the search of results satisfying the given query.To investigate the performance of the proposed system, we have implemented the model on a simulated computer architecture. The results of the simulation ex-periments indicate that the model is capable of exploiting the potential I/O band-width of a large number of disk units as well as the computational power of the associated processing elements

A TrustZone-assisted hypervisor supporting dynamic partial reconfiguration

Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresTraditionally, embedded systems were dedicated single-purpose systems characterised by hardware resource constraints and real-time requirements. However, with the growing computing abilities and resources on general purpose platforms, systems that were formerly divided to provide different functions are now merging into one System on Chip. One of the solutions that allows the coexistence of heterogeneous environments on the same hardware platform is virtualization technology, usually in the form of an hypervisor that manage different instances of OSes and arbitrate their execution and resource usage, according to the chosen policy. ARM TrustZone has been one of the technologies used to implement a virtualization solution with low overhead and low footprint. µRTZVisor a TrustZoneassisted hypervisor with a microkernel-like architecture - is a bare-metal embedded hypervisor that relies on TrustZone hardware to provide the foundation to implement strong spatial and temporal isolation between multiple guest OSes. The use of Partial Reconfiguration allows the designer to define partial reconfigurable regions in the FPGA and reconfigure them during runtime. This allows the system to have its functionalities changed during runtime using Dynamic Partial Reconfiguration (DPR), without needing to reconfigure all the FPGA. This is a major advantage, as it decreases the configuration overhead since partial bitstreams are smaller than full bitstreams and the reconfiguration time is shorter. Another advantage is reducing the need for larger logic areas and consequently reducing their power consumption. Therefore, a hypervisor that supports DPR brings benefits to the system. Aside from better FPGA resources usage, another improvement that it brings, is when critical hardware modules misbehave and the hardware module can be replaced. It also enables the controlling and changing of hardware accelerators dynamically, which can be used to meet the guest OSes requests for hardware resources as the need appears. The propose of this thesis is extending the µRTZVisor to have a DPR mechanism.Tradicionalmente, os sistemas embebidos eram sistemas dedicados a uma única tarefa e apenas limitados pelos seus requisitos de tempo real e de hardware. Contudo, como as plataformas de uso geral têm cada vez mais recursos e capacidade de processamento, muitos dos sistemas que executavam separadamente, passaram a apenas um sistema em plataforma recorrendo à tecnologia de virtualização, normalmente como um hipervisor que é capaz de gerir múltiplos sistemas operativos arbitrando a sua execução e acesso aos recursos da plataforma de acordo com uma politica predefinida. A tecnologia TrustZone da ARM tem sido uma das soluções implementadas sem ter grande impacto na performance dos sistemas operativos. µRTZVisor é um dos hipervisores baseados na TrustZone para implementar um isolamento espacial e temporal entre múltiplos sistemas operativos, sendo que defere de outras uma vez que é de arquitectura microkernel. O uso de Reconfiguração Parcial Dinâmica (RPD) permite ao designer definir várias regiões reconfiguráveis no FPGA que podem ser dinamicamente reconfiguradas durante o período de execução. Esta é uma grande vantagem, porque reduz os tempos de reconfiguração de módulos reconfiguráveis uma vez que os seus bitstreams são mais pequenos que bitstreams para a plataforma toda. A tecnologia também permite que nos FPGAs não sejam necessárias áreas lógicas tão grandes, o que também reduz o consumo de energia da plataforma. Um hipervisor que suporte RPD traz grandes benefícios para o sistema, nomeadamente melhor uso dos recursos de FPGA, implementação de aceleradores em hardware dinamicamente reconfiguráveis, e tratamento de falhas no hardware. Se houverem módulos que estejam a demonstrar comportamentos inesperados estes podem ser reconfigurados. O uso de aceleradores reconfiguráveis permite que o hardware seja adaptável conforme a necessidade destes pelos diferentes sistemas operativos. A proposta desta dissertação é então estender o µRTZVisor para ter a capacidade de usar módulos reconfiguráveis por RPD

A Transactional Model and Platform for Designing and Implementing Reactive Systems

A reactive program is one that has ongoing interactions with its environment. Reactive programs include those for embedded systems, operating systems, network clients and servers, databases, and smart phone apps. Reactive programs are already a core part of our computational and physical infrastructure and will continue to proliferate within our society as new form factors, e.g. wireless sensors, and inexpensive (wireless) networking are applied to new problems. Asynchronous concurrency is a fundamental characteristic of reactive systems that makes them difficult to develop. Threads are commonly used for implementing reactive systems, but they may magnify problems associated with asynchronous concurrency, as there is a gap between the semantics of thread-based computation and the semantics of reactive systems: reactive software developed with threads often has subtle timing bugs and tends to be brittle and non-reusable as a holistic understanding of the software becomes necessary to avoid concurrency hazards such as data races, deadlock, and livelock. Based on these problems with the state of the art, we believe a new model for developing and implementing reactive systems is necessary. This dissertation makes four contributions to the state of the art in reactive systems. First, we propose a formal yet practical model for (asynchronous) reactive systems called reactive components. A reactive component is a set of state variables and atomic transitions that can be composed with other reactive components to yield another reactive component. The transitions in a system of reactive components are executed by a scheduler. The reactive component model is based on concepts from temporal logic and models like UNITY and I/O Automata. The major contribution of the reactive component model is a formal method for principled composition, which ensures that 1) the result of composition is always another reactive component, for consistency of reasoning; 2) systems may be decomposed to an arbitrary degree and depth, to foster divide-and-conquer approaches when designing and re-use when implementing; 3)~the behavior of a reactive component can be stated in terms of its interface, which is necessary for abstraction; and 4) properties of reactive components that are derived from transitions protected by encapsulation are preserved through composition and can never be violated, which permits assume-guarantee reasoning. Second, we develop a prototypical programming language for reactive components called rcgo that is based on the syntax and semantics of the Go programming language. The semantics of the rcgo language enforce various aspects of the reactive component model, e.g., the isolation of state between components and safety of concurrency properties, while permitting a number of useful programming techniques, e.g., reference and move semantics for efficient communication among reactive components. For tractability, we assume that each system contains a fixed set of components in a fixed configuration. Third, we provide an interpreter for the rcgo language to test the practicality of the assumptions upon which the reactive component model are founded. The interpreter contains an algorithm that checks for composition hazards like recursively defined transitions and non-deterministic transitions. Transitions are executed using a novel calling convention that can be implemented efficiently on existing architectures. The run-time system also contains two schedulers that use the results of composition analysis to execute non-interfering transitions concurrently. Fourth, we compare the performance of each scheduler in the interpreter to the performance of a custom compiled multi-threaded program, for two reactive systems. For one system, the combination of the implementation and hardware biases it toward an event-based solution, which was confirmed when the reactive component implementation outperformed the custom implementation due to reduced context switching. For the other system, the custom implementation is not prone to excessive context switches and outperformed the reactive component implementations. These results demonstrate that reactive components may be a viable alternative to threads in practice, but that additional work is necessary to generalize this claim

The parallel event loop model and runtime: a parallel programming model and runtime system for safe event-based parallel programming

Recent trends in programming models for server-side development have shown an increasing popularity of event-based single- threaded programming models based on the combination of dynamic languages such as JavaScript and event-based runtime systems for asynchronous I/O management such as Node.JS. Reasons for the success of such models are the simplicity of the single-threaded event-based programming model as well as the growing popularity of the Cloud as a deployment platform for Web applications. Unfortunately, the popularity of single-threaded models comes at the price of performance and scalability, as single-threaded event-based models present limitations when parallel processing is needed, and traditional approaches to concurrency such as threads and locks don't play well with event-based systems. This dissertation proposes a programming model and a runtime system to overcome such limitations by enabling single-threaded event-based applications with support for speculative parallel execution. The model, called Parallel Event Loop, has the goal of bringing parallel execution to the domain of single-threaded event-based programming without relaxing the main characteristics of the single-threaded model, and therefore providing developers with the impression of a safe, single-threaded, runtime. Rather than supporting only pure single-threaded programming, however, the parallel event loop can also be used to derive safe, high-level, parallel programming models characterized by a strong compatibility with single-threaded runtimes. We describe three distinct implementations of speculative runtimes enabling the parallel execution of event-based applications. The first implementation we describe is a pessimistic runtime system based on locks to implement speculative parallelization. The second and the third implementations are based on two distinct optimistic runtimes using software transactional memory. Each of the implementations supports the parallelization of applications written using an asynchronous single-threaded programming style, and each of them enables applications to benefit from parallel execution